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DETAILED ACTION 

1 . This office action is in reply to an amendment filed on October 22, 2004. Claims 1,7,13, 
27, 36, 39, 43, 46, 50 and 56 have been amended, claims 53-55 have been cancelled and new 
claims 61-63 have been added. Claims 1-52 and 56-63 are pending. 

Claim Rejections - 35 USC §112 



2. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

3. Claims 1, 36 and 43 recite the limitation "said first resource". There is insufficient 
antecedent basis for this limitation in the claim. 

4. Claims 27 and 50 recite the limitation "said access system interface". There is 
insufficient antecedent basis for this limitation in the claim. 



Claim Rejections - 35 USC § 102 

5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21 (2) 
of such treaty in the English language. 

6. Claims 56, 59 and 60 are rejected under 35 U.S.C. 102(e) as being anticipated by Gupta 



et al. US Patent 6,226,752 B1 (hereinafter Gupta). 
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7. As per claim 56, Gupta teaches a method for providing access services, comprising the 
steps of: 

authenticating a first user [column 12, lines 24-41]; 

causing user session state information to be stored at a client for said first user [column 
12, lines 50-56]; 

authorizing said first user to access a first protected resource [column 12, lines 42-51]; 

receiving a request from an application without a web agent front end to allow said first 
user to access a second protected resource, said step of receiving a request includes receiving 
said user session state information from said application [column 11, lines 46-53]; 

authorizing said first user to access said second protected resource without requiring 
said first user to re-submit authentication credentials, if said first user is authorized to access 
said second protected resource [column 12, lines 41-66]. 

8. As per claim 59, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method, wherein: said user session state information is a session token from a 
cookie stored on a client for said first user, said session state information was created by an 
access system [column 12, lines 46-61]; and said access system performs said step of 
attempting to authorize [column 12, lines 54-61]. 

9. As per claim 60, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the steps of: determining whether said first resource is 
protected [column 12, lines 25-42]; determining an authentication scheme for said first resource 
[column 12, lines 25-42]; and determining whether said authentication scheme is satisfied based 
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on said user session state information [column 12, lines 25-42] and making available to said 
application indication of whether said user session is protected and authentication scheme 
[column 12, lines 14-42]. 

Claim Rejections - 35 USC § 103 

10. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

11. Claims 1, 2,6,7,9-22, 26, 27, 31-36, 39-43, 46-50 and 61 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Gupta et al. US Patent 6,226,752 B1 (hereinafter referred to 
as Gupta) in view of Olden US Patent 6,460,141 B1 . 

12. As per claims 1 and 36, Gupta teaches a method for providing access services, 
comprising the steps of: 

receiving user session state information for a first user at an access system interface 
(i.e., login server), said user session state information is from an application without a web 
agent front end (understood by the examiner as a stand alone or multiple application server, i.e., 
an application server not connected behind a web server or any other web agent) [column 1 1 , 
lines 46-53 and column 12, lines 13-25]; 

receiving at the access system interface (i.e., login server) a request to authorize said 
first user to access a resource [column 12, lines 13-27], said request to authorize is from an 
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application without a web agent front end [column 11, lines 10-20, and column 12, lines 13-27]; 
and 

authorizing said first user to access the resource without requiring said first user to re- 
submit authentication credentials [column 12, lines 54-61]. 

Gupta further teaches the system, wherein the login server provides routines for 
communication and data transfer with application servers, [column 12, lines 13-17], further 
providing user authentication with multiple set of methods [column 12, lines 26-36]. It is inherent 
that these routines provide program interface, so that different programs (methods) can 
communicate with each other or transfer data between each other. However, Gupta does not 
explicitly teach application program interface for an access system. 

Olden teaches a single sign on method for providing access services [see for example 
column 23, lines 55-67], including receiving user session information for a user at an application 
program interface for access system [column 24, line 63 - column 25, line 27]. Both Gupta and 
Olden teach a method for providing access services. It would have been obvious to one having 
ordinary skill in the art at the time the invention was made to employ the teachings of Olden 
within the system of Gupta in order to incorporate APIs into a single sign on system. 

13. As per claims 27, 50 and 61 , Gupta teaches a method for providing access services by 
an application without a web agent front end, comprising t he steps of: 

receiving, at an application, an electronic request from a first user to access a first 
resource, said step of receiving includes receiving information from a cookie [column 11, lines 
46-67 and column 12, lines 1-6]; 

providing said information from said cookie to an access system interface (i.e., login 
server) [column 12, lines 14-24]; and 
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accessing authorization services including, requesting said access system interface to 
authorize said first user to access said first resource based on information from said request 
from said first user and based on said information from said cookie [column 12, lines 14-61]. 

Gupta further teaches the system, wherein the login server provides routines for 
communication and data transfer with application servers, [column 12, lines 13-17], further 
providing user authentication with multiple set of methods [column 12, lines 26-36]. It is inherent 
that these routines provide program interface, so that different programs (methods) can 
communicate with each other or transfer data between each other. However, Gupta does not 
explicitly teach application program interface for an access system. 

Olden teaches a single sign on method for providing access services [see for example 
column 23, lines 55-67], including providing information from a cookie to an application program 
interface for access system [column 24, line 51 - column 25, line 27]. Both Gupta and Olden 
teach a method for providing access services. It would have been obvious to one having 
ordinary skill in the art at the time the invention was made to employ the teachings of Olden 
within the system of Gupta in order to incorporate APIs into a single sign on system. 

14. As per claim 43, Gupta teaches an apparatus, comprising: 

a communication interface [column 11, lines 25-37 and figures 1 and 2]; 

one or more storage devices [column 11, lines 25-37 and figures 1 and 2]; and 

one or more processors in communication with said one or more storage devices and 

said communication interface [column 11, lines 25-37 and figures 1 and 2], said one or more 

processors programmed to perform a method comprising: 

receiving user session state information for a first user at an access system interface 

(i.e., login server), said user session state information is from an application without a web 



Application/Control Number: 09/814,091 Page 7 

Art Unit: 2135 

agent front end (understood by the examiner as a stand alone or multiple application server, 
i.e., an application server not connected behind a web server or any other web agent) [column 
11, lines 46-53 and column 12, lines 13-25]; 

receiving at the access system interface (i.e., login server) a request to authorize said 
first user to access a resource [column 12, lines 13-27], said request to authorize is from an 
application without a web agent front end [column 11, lines 10-20, and column 12, lines 13-27]; 
and 

authorizing said first user to access the resource without requiring said first user to re- 
submit authentication credentials [column 12, lines 54-61]. 

Gupta further teaches the system, wherein the login server provides routines for 
communication and data transfer with application servers, [column 12, lines 13-17], further 
providing user authentication with multiple set of methods [column 12, lines 26-36]. It is inherent 
that these routines provide program interface, so that different programs (methods) can 
communicate with each other or transfer data between each other. However, Gupta does not 
explicitly teach application program interface for an access system. 

Olden teaches a single sign on method for providing access services [see for example 
column 23, lines 55-67], including receiving user session information for a user at an application 
program interface for access system [column 24, line 63 - column 25, line 27]. Both Gupta and 
Olden teach a method for providing access services. It would have been obvious to one having 
ordinary skill in the art at the time the invention was made to employ the teachings of Olden 
within the system of Gupta in order to incorporate APIs into a single sign on system. 
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15. As per claim 2, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method, wherein said user session state information is 
a session token form a cookie stored on a client for said first user [column 11, line 67]. 

16. As per claims 6, 39 and 46, the combination of Gupta and Olden teaches the method as 
applied above. Furthermore, Gupta teaches the method, wherein: said user session state 
information is a session token from a cookie stored on a client for said first user, said session 
state information was created by an access system [column 12, lines 46-61]; and said access 
system performs said step of attempting to authorize [column 12, lines 54-61]. 

17. As per claim 7, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method, wherein: said user session state information is 
a session token from a cookie stored on a client for said first user, said user session state 
information was created by an access system and provided to said application by said access 
system (logon server redirects the browser back to application server, with session information 
included with the redirection) [column 12, lines 42-60]; said application caused said session 
token to be stored in said cookie and said access system performs said step of attempting to 
authorize [column 12, lines 42-60]. 

18. As per claim 9, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method, wherein said resource request information 
includes: an identification of a resource type, an identification of a resource, and an identification 
of an operation [column 1 1 , lines 39-45]. 
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19. As per claim 10, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method, wherein said resource request information 
includes: an identification of a resource type, an identification of a resource; an identification of 
an operation, and query string information [column 11, 39-45 and column 14, lines 33-42]. 

20. As per claim 1 1, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method, wherein said resource request information 
includes: an identification of a resource type, an identification of a resource, an identification of 
an operation, and post data information [column 11, 39-45 and column 14, lines 33-42]. 

21 . As per claim 12, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches standalone or multiple application servers [column 11, lines 
10-25]. 

22. As per claim 13, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method, wherein: 

said step of attempting to authorize is based on said user session state information and 
said resource request information [column 11, lines 45-51 and column 12, lines 14-24]. 

23. As per claim 14, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the steps of: creating a 
resource request object, said resource request object represents a request to access said first 
resource (sending a request to access a resource [column 11, lines 46-51]; and creating a user 
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session object, said user session object represents said first user after said first user has been 
authenticated [column 12, lines 42-61]. 

24. As per claims 15, 34, 40, 41, 47 and 48, the combination of Gupta and Olden teaches 
the method as applied above. Furthermore, Gupta teaches the method further comprising the 
steps of: determining whether said first resource is protected [column 12, lines 25-42]; 
determining an authentication scheme for said first resource [column 12, lines 25-42]; and 
determining whether said authentication scheme is satisfied based on said user session state 
information [column 12, lines 25-42] and making available to said application indication of 
whether said user session is protected and authentication scheme [column 12, lines 14-42]. 

25. As per claim 16, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the steps of: 

making available to said application an indication of whether said first resource is 
protected [column 12, lines 25-42]; and making available to said application an indication of 
said authentication scheme [column 12, lines 25-42]. 

26. As per claim 17, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the steps of: 

determining one or more authentication actions for said first resource [column 12, lines 

25-42]. 

27. As per claim 18, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the steps of: 
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making available to said application an indication of said one or more authentication 
actions for said first resource [column 12, lines 25-42]. 

28. . As per claim 19, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the steps of: 

performing at least one of said authentication actions for said first resource [column 12, 
lines 25-42]. 

29. As per claim 20, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the steps of: 

Determining one or more authorization actions for said first resource [column 12-, lines 

25-42]. 

30. As per claim 21 , the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the steps of: 

making available to said application an indication of said one or more authorization 
actions for said first resource [column 12, lines 25-42]. 

31 . As per claim 22, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the step of: 

performing at least one of said authorization actions for said first resource [column 12, 
lines 25-42]. 
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32. As per claims 26, 35, 42 and 49, the combination of Gupta and Olden teaches the 
method as applied above. Furthermore, Gupta teaches the method further comprising the step 
of: 

allowing said first user to access said first resource if said first user is authorized to 
access said first resource [column 12, lines 42-53]. 

33. As per claim 31 , the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the steps of: 

Requesting data from said information form said cookie, said request being made to said 
access system interface [column 12, lines 12-23], receiving said data from said access system 
interface [column 12, lines 41-61] and using said data for an access system service [column 12, 
lines 41-61]. 

34. As per claim 32, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method wherein, the cookie was originally provided by 
a first web agent (a client browser) [column 11, lines 45-50]. 

35. As per claim 33, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method wherein, the cookie was originally provided by 
an access system interface [column 12, lines 54-61]. 

36. Claims 3-5, 8, 28-30, 37, 38, 44, 45, 51, 52 and 62-63 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Gupta (US Patent 6,226,752 B1) in view of Olden US Patent 
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6,460,141 as applied above and further in view of Wood et al. (hereinafter refereed to as Wood) 
(US Patent No. 6,668,322 B1). 

37. As per claim 3, 28, 37, 44, 51 and 62-63, Gupta teaches the method as applied above. 
Furthermore, Gupta teaches said user session state information is from a cookie stored on a 
client for said first user [column 12, lines 50-62]. Gupta also suggests using encryption method 
to transfer information between access server, application server and client, including 
encrypting session information [column 14, lines 12-26]. Gupta does not clearly teach said user 
information is encrypted and decrypting said user session information. However, Wood teaches 
a method of providing access services, wherein user session information is encrypted and 
decrypting user session state information [column 7, lines 32-63]. Therefore it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to encrypt and 
decrypt user session information as per teachings of Wood and employ it within the combination 
of Gupta and Olden, in order to utilize secure transfer of information between access sever, 
application server and client and protect sensitive information stored in session token (cookie). 

38. As per claims 4, 29, 38, 45 and 52 the combination of Gupta, Olden and Wood teaches 
the method as applied above. Furthermore, Wood teaches decrypting encrypted session 
information at an access server, wherein only the access server possessing a key needed for 
decryption [column 7, lines 32-63]. 

39. As per claims 5 and 30 and the combination of Gupta, Olden and Wood teaches the 
method as applied above. Furthermore, Wood teaches session information includes identity of 
the user [column 8, lines 9-25]. 
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40. As per claim 8, the combination of Gupta and Olden teaches the method as applied 
above. Furthermore, Gupta teaches the method, wherein session information includes user 
identity and time period [column 11, lines 59-66]. Gupta does not explicitly teach session 
information includes an authentication level for a user. However, Wood teaches session 
information that includes authentication level for a user [column 8, lines 9-13 and column 2, 
lines 35-42]. Therefore it would have been obvious to one having ordinary skill in the art at the 
time the invention was made to include authentication level for a user into a session information 
as per teachings of Wood and employ it within the combination of Gupta and Olden, in order to 
allow clients with different level of authentication level and further increase security of protected 
information. 

41. Claims 23-25 are rejected under 35 U.S.C. 103(a) as being unpatentable over Gupta 
(US Patent No. 6,226,752 B1) in view of Olden US Patent 6,460,141 as applied above and 
further in view of Wenig et al (hereinafter referred to as Wenig) US Patent 6,286,098 B1 . 

42. As per claim 23, Gupta teaches a method for providing access services as applied 
above. Gupta does not explicitly teach determining one or more audit rules for a resource. 
However Wenig teaches determining one or more audit rules for a resource [column 1, lines 55- 
67 and column 10, lines 7-34]. Therefore it would have been obvious to one having ordinary skill 
in the art at the time the invention was made to determine on or more audit rules fro a resource 
as per teachings of Wenig and employ it within the combination of Gupta and Olden in order to 
verify occurred events during a particular user session within a client and server applications. 
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43. As per claims 24 and 25, the combination of Gupta, Olden and Wenig teach the method 
as applied above. Furthermore, Wenig teaches making available to an application an indication 
of one or more audit rules for a resource and performing at least one of said audit rules for said 
resource [column 10, lines 7-34]. 

44. Claims 57 and 58 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Gupta (US Patent No. 6,226,752 B1) in view of Wood et al. (hereinafter referred to as Wood) 
(US Patent No. 6,668,322 B1). 

45. As per claim 57, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches said user session state information is from a cookie stored on a client for said first user 
[column 12, lines 50-62]. Gupta also suggests using encryption method to transfer information 
between access server, application server and client, including encrypting session information 
[column 14, lines 12-26]. Gupta does not clearly teach said user information is encrypted and 
decrypting said user session information. However, Wood teaches a method of providing 
access services, wherein user session information is encrypted and decrypting user session 
state information [column 7, lines 32-63]. Therefore it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to encrypt and decrypt user session 
information as per teachings of Wood and employ it within the system of Gupta, in order to 
utilize secure transfer of information between access sever, application server and client and 
protect sensitive information stored in session token (cookie). 

46. As per claim 58, the combination of Gupta and Wood teaches the method as applied 
above. Furthermore, Wood teaches decrypting encrypted session information at an access 
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server, wherein only the access server possessing a key needed for decryption [column 7, lines 
32-63]. 

Response to Arguments 

47. Applicant's arguments with respect to claims 1-52 and 61-63 have been considered but 
are moot in view of the new ground(s) of rejection. 

48. Applicant's arguments with respect to claims 56-60 have been fully considered but they 
are not persuasive. With respect to claims 56-60, applicant argues that Gupta fails to teach 
authorizing a first user to access a protected resource without requiring the user to re-submit 
authentication credentials. Examiner respectfully disagrees. 

Examiner would point out that Gupta discloses authorizing a first user to access a 
protected resource without requiring the user to re-submit authentication credentials [see Gupta 
column 12, lines 53-67]. 

Conclusion 

49. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy 
as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
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however, will the statutory period for reply expire later than SIX MONTHS from the mailing date 
of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Beemnet W Dada whose telephone number is (571) 272-3847. The 
examiner can normally be reached on Monday - Friday (9:00 am - 5:30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




